Analysis
-
max time kernel
133s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 00:24
Static task
static1
Behavioral task
behavioral1
Sample
SQLRayCLI.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
SQLRayCLI.exe
Resource
win10v2004-20241007-en
General
-
Target
SQLRayCLI.exe
-
Size
4.6MB
-
MD5
5513a3dc0c8872659886cf388fdab31e
-
SHA1
75f3e3192f7e609a28f17411da685d384a8f1b99
-
SHA256
9cfac085e4756ef55ffaba67307c1df15bfe14ea600065ad094f9c43c8499aa2
-
SHA512
e2f11372d15f17b5059646f34707bb88ef37fbb26729fc5b82f86bfcc4372d8050f26bdd8cc799ea55c99a326b0b9122841af85581da9dbcd2d00ad925d13be2
-
SSDEEP
98304:Gx6o7DEgTsuvi9fR106kiPZ5KjLQW9p0pxJ:Gx6YDxTlvqfR1Qzj0cWpr
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 780 powershell.exe 4680 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation SQLRayCLI.exe -
Executes dropped EXE 2 IoCs
pid Process 4744 51F.sqlraycli.tmp 524 B3D.sqlraycli.tmp -
Loads dropped DLL 1 IoCs
pid Process 1204 SQLRayCLI.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1204 set thread context of 4744 1204 SQLRayCLI.exe 90 PID 1204 set thread context of 524 1204 SQLRayCLI.exe 91 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 B3D.sqlraycli.tmp Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} B3D.sqlraycli.tmp Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" B3D.sqlraycli.tmp Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell B3D.sqlraycli.tmp Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff B3D.sqlraycli.tmp Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" B3D.sqlraycli.tmp Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" B3D.sqlraycli.tmp Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" B3D.sqlraycli.tmp Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 B3D.sqlraycli.tmp Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU B3D.sqlraycli.tmp Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 B3D.sqlraycli.tmp Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" B3D.sqlraycli.tmp Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 B3D.sqlraycli.tmp Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 B3D.sqlraycli.tmp Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 B3D.sqlraycli.tmp Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Documents" B3D.sqlraycli.tmp Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" B3D.sqlraycli.tmp Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 B3D.sqlraycli.tmp Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 B3D.sqlraycli.tmp Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff B3D.sqlraycli.tmp Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" B3D.sqlraycli.tmp Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff B3D.sqlraycli.tmp Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" B3D.sqlraycli.tmp Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" B3D.sqlraycli.tmp Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 B3D.sqlraycli.tmp Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads" B3D.sqlraycli.tmp Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 B3D.sqlraycli.tmp Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" B3D.sqlraycli.tmp Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2" B3D.sqlraycli.tmp Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" B3D.sqlraycli.tmp Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" B3D.sqlraycli.tmp Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" B3D.sqlraycli.tmp Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell B3D.sqlraycli.tmp Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff B3D.sqlraycli.tmp Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Documents" B3D.sqlraycli.tmp Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1" B3D.sqlraycli.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ B3D.sqlraycli.tmp Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" B3D.sqlraycli.tmp Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 B3D.sqlraycli.tmp Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" B3D.sqlraycli.tmp Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" B3D.sqlraycli.tmp Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" B3D.sqlraycli.tmp Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 B3D.sqlraycli.tmp Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" B3D.sqlraycli.tmp Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" B3D.sqlraycli.tmp Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" B3D.sqlraycli.tmp Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 B3D.sqlraycli.tmp Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" B3D.sqlraycli.tmp Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell B3D.sqlraycli.tmp Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" B3D.sqlraycli.tmp Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg B3D.sqlraycli.tmp Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" B3D.sqlraycli.tmp Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff B3D.sqlraycli.tmp Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff B3D.sqlraycli.tmp Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 B3D.sqlraycli.tmp Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 B3D.sqlraycli.tmp Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff B3D.sqlraycli.tmp Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} B3D.sqlraycli.tmp Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" B3D.sqlraycli.tmp Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 B3D.sqlraycli.tmp Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" B3D.sqlraycli.tmp Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" B3D.sqlraycli.tmp Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell B3D.sqlraycli.tmp Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" B3D.sqlraycli.tmp -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 780 powershell.exe 4680 powershell.exe 780 powershell.exe 4680 powershell.exe 4744 51F.sqlraycli.tmp 4744 51F.sqlraycli.tmp 4744 51F.sqlraycli.tmp 4744 51F.sqlraycli.tmp 4744 51F.sqlraycli.tmp 4744 51F.sqlraycli.tmp -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 524 B3D.sqlraycli.tmp -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 780 powershell.exe Token: SeDebugPrivilege 4680 powershell.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 524 B3D.sqlraycli.tmp 524 B3D.sqlraycli.tmp 524 B3D.sqlraycli.tmp -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 1204 wrote to memory of 780 1204 SQLRayCLI.exe 83 PID 1204 wrote to memory of 780 1204 SQLRayCLI.exe 83 PID 1204 wrote to memory of 4680 1204 SQLRayCLI.exe 86 PID 1204 wrote to memory of 4680 1204 SQLRayCLI.exe 86 PID 1204 wrote to memory of 4744 1204 SQLRayCLI.exe 90 PID 1204 wrote to memory of 4744 1204 SQLRayCLI.exe 90 PID 1204 wrote to memory of 4744 1204 SQLRayCLI.exe 90 PID 1204 wrote to memory of 4744 1204 SQLRayCLI.exe 90 PID 1204 wrote to memory of 4744 1204 SQLRayCLI.exe 90 PID 1204 wrote to memory of 4744 1204 SQLRayCLI.exe 90 PID 1204 wrote to memory of 4744 1204 SQLRayCLI.exe 90 PID 1204 wrote to memory of 4744 1204 SQLRayCLI.exe 90 PID 1204 wrote to memory of 4744 1204 SQLRayCLI.exe 90 PID 1204 wrote to memory of 4744 1204 SQLRayCLI.exe 90 PID 1204 wrote to memory of 4744 1204 SQLRayCLI.exe 90 PID 1204 wrote to memory of 4744 1204 SQLRayCLI.exe 90 PID 1204 wrote to memory of 4744 1204 SQLRayCLI.exe 90 PID 1204 wrote to memory of 4744 1204 SQLRayCLI.exe 90 PID 1204 wrote to memory of 4744 1204 SQLRayCLI.exe 90 PID 1204 wrote to memory of 4744 1204 SQLRayCLI.exe 90 PID 1204 wrote to memory of 4744 1204 SQLRayCLI.exe 90 PID 1204 wrote to memory of 524 1204 SQLRayCLI.exe 91 PID 1204 wrote to memory of 524 1204 SQLRayCLI.exe 91 PID 1204 wrote to memory of 524 1204 SQLRayCLI.exe 91 PID 1204 wrote to memory of 524 1204 SQLRayCLI.exe 91 PID 1204 wrote to memory of 524 1204 SQLRayCLI.exe 91 PID 1204 wrote to memory of 524 1204 SQLRayCLI.exe 91 PID 1204 wrote to memory of 524 1204 SQLRayCLI.exe 91 PID 1204 wrote to memory of 524 1204 SQLRayCLI.exe 91 PID 1204 wrote to memory of 524 1204 SQLRayCLI.exe 91 PID 1204 wrote to memory of 524 1204 SQLRayCLI.exe 91 PID 1204 wrote to memory of 524 1204 SQLRayCLI.exe 91 PID 1204 wrote to memory of 524 1204 SQLRayCLI.exe 91 PID 1204 wrote to memory of 524 1204 SQLRayCLI.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe"C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension ".tmp" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4680
-
-
\??\c:\Users\Admin\AppData\Local\Temp\51F.sqlraycli.tmp"C:\Users\Admin\AppData\Local\Temp\sqlray_services.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4744
-
-
\??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp"C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:524
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
1KB
MD58fd1d495b09695f4fb95638213559464
SHA18525bec9fcc14bfb53145f339b5498c7d5948563
SHA25621e178a283f66f767540ca84c2f2fe46bfe18add60a41f49a65ac4bdaae1f7a2
SHA51280239f149715fccd6e0d615ace999b483315ec9451664352aea5953a321435964757721e5694e4dfbb3b8aab001621112332617b99eb95994d616160838a82a4
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
214B
MD5b2f54e952a76f7a26a817e55ed74cbb8
SHA1cfd0aaa620eb21e8b0e6983d1c9da71eea041131
SHA256a35030e632ea165c675260d8b86dfaf24a460ebc514f39988b1cc073bc4f6878
SHA512af1663e1092ef8158b07b6528f3d731a48d378434cc32c1aea8c74bd8e782aaa412abec63a462e224a40d8cc29d0db6b663c56c49c5544e8bcfbea74b3a4d535
-
Filesize
1KB
MD586d23632843c402a3a34828bb99317c9
SHA1ee7082dcee56cb61d0cae037078efb2a4b32eaae
SHA256eef04cd51ee4cffc01ea5b13e1bf7a174cc4f093aef143471a31d16e20f9e280
SHA5129a5fcf3158c96be1a48dff04d58ec15471d69f44a6a06ea5f2fcd2c858bd974bbfbfe31028cc85a321ae55f5d621038c5234dcf01757682c399b91dc007cb223
-
Filesize
1KB
MD50989e97671939f5b29ceae47a923b168
SHA1555deb232516cbcd21f52ea4043e3a6ac2dd97f9
SHA256ac6bb5ea2fbce08df97b58a4ff107335c22f54a9f45efe256b28e0bbd0708ca2
SHA51222191f895fcf02437fd6cbdd4030787f7604a0640ef0359db8f42f5a6846de3d9049b05982bc1a7f731af89c74508c6453520199b6ad92204e9a622236299658